Data breaches cost Australian organisations over two million dollars per incident

See also

Over the last year, data breaches have become commonplace with both global and local brands falling victim to attackers. Household brands have come under scrutiny as customer data including names, email addresses and potentially even credit card details are leaked.

The sheer volume of incidents has put data breaches high on the agenda for Australian executives, who are looking to avoid the reputational and financial implications of data leakage. This is unsurprising given that the cost of a data breach has risen for the third consecutive year according to our recent survey. Locally, the average cost of data breach increased from $2 million in 2010 to $2.16 million in 2011. Additionally, the cost per compromised record increased from $128 in 2010 to $138 in 2011.

However, despite a growing awareness of the financial impact of data breaches, local organisations are not yet investing in preventing these incidents. For some businesses this relates to a lack of insight around how breaches are occurring. Additionally, there is a little incentive for organisations to proactively tackle data breaches due to the lack of local data breach notification laws.

Root causes of data breaches

In Australia malicious and criminal attacks were the main cause of data breaches in 2011. These were also the most expensive breaches with the highest per capita cost of $183 per record in 2011. This finding suggests that organisations need to focus on boosting their security posture. By implementing comprehensive security policies, processes and technologies they can address threats from the malicious insider or hacker.

The survey also found that lost or stolen mobile devices were a common factor in local data breaches, impacting 32 percent of Australian respondents. Additionally, 36 percent of local respondents said that their data breaches involved mistakes by third parties including outsourcers, cloud providers and business partners.

Businesses focus on the aftermath of data breaches

The survey revealed that even where businesses understand the cause of data breaches, they are still reluctant to invest in detecting and preventing breach incidents. Costs relating to the detection of data breaches increased by only five percent and notification costs remained static in 2011. Instead, local businesses are focusing their investment around the aftermath of a breach, with costs relating to reputation management and customer acquisition increasing sharply.

At first glance it seems odd that local organisations are focusing on damage limitation rather than on the prevention of data breaches. However, this can be explained by the lack of mandatory data breach disclosure legislation in Australia. This allows many data breach incidents to go unreported, meaning that businesses are less likely to be impacted by negative after effects.

The lack of data notification laws is concerning when we look at the impact of data breaches on consumers. Cybercriminals are typically able to access high volume of customer data which they can exploit for financial gain. If consumers are not notified about data leakage they are unable to take precautionary measures to limit the financial consequences of a breach, such as changing passwords or cancelling credit cards.

Fast tracking the adoption of data breach notification laws is recommended. This would help to ensure that customer data is protected by encouraging business to minimise the likelihood of a breach rather than focusing on the aftermath. If these laws come into force we can expect to see a shift as businesses focus spending on detection and prevention rather than post-breach damage limitation.

However while legislation plays a role, it's no silver bullet. Education and technology are also equally important in the battle against data breaches. The following best practices to will help organisations to prevent data leakage:

Assess risks by identifying and classifying confidential information

Educate employees on information protection policies and procedures, then hold them accountable

Extend these policies to any third parties that manage customer information; conduct regular audits and monitoring

Encrypt mobile devices, including laptops and smartphones, to minimise the consequences of a lost device

Integrate information-protection practices into businesses processes

With data breaches are making headlines on a regular basis, it is easy to become desensitised to their impact. However, businesses need to prioritise the prevention of data breaches to reduce the financial and reputational impact of data loss and ensure the safety of their customer data, intellectual property and commercially sensitive information.

Actions

Share

How Does this Site Work?

This site is where you will find ABC stories, interviews and videos on the subject of Technology and Games. As you browse through the site, the links you follow will take you to stories as they appeared in their original context, whether from ABC News, a TV program or a radio interview. Please enjoy.